Add security context template for keystone-webhook container
This implements security context override at pod level and adds readOnly-fs to keystone-webhook container Change-Id: Ia67947b7323e41363a5ee379c0dfb001936b5107
This commit is contained in:
parent
10fd77b6e4
commit
a58a78ff83
@ -37,13 +37,12 @@ spec:
|
||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
{{ dict "envAll" $envAll "application" "kubernetes-keystone-webhook" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
{{ dict "envAll" $envAll "application" "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
containers:
|
||||
- name: kubernetes-keystone-webhook
|
||||
{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
{{ dict "envAll" $envAll "application" "kubernetes_keystone_webhook" "container" "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
command:
|
||||
- /tmp/start.sh
|
||||
readinessProbe:
|
||||
|
@ -48,9 +48,14 @@ network:
|
||||
port: 30601
|
||||
|
||||
pod:
|
||||
user:
|
||||
kubernetes-keystone-webhook:
|
||||
uid: 65534
|
||||
security_context:
|
||||
kubernetes_keystone_webhook:
|
||||
pod:
|
||||
runAsUser: 65534
|
||||
container:
|
||||
kubernetes_keystone_webhook:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
affinity:
|
||||
anti:
|
||||
type:
|
||||
|
Loading…
Reference in New Issue
Block a user